Native user authentication
editNative user authentication
editThe easiest way to manage and authenticate users is with the internal native
realm. You can use the REST APIs or Kibana to add and remove users, assign user
roles, and manage user passwords.
Configuring a native realm
editThe native realm is available and enabled by default. You can disable it explicitly with the following snippet.
xpack.security.authc.realms.native.native1: enabled: false
You can configure a native
realm in the xpack.security.authc.realms.native
namespace in elasticsearch.yml
.
Explicitly configuring a native realm enables you to set the order in which it
appears in the realm chain, temporarily disable the realm, and control its
cache options.
-
Add a realm configuration to
elasticsearch.yml
under thexpack.security.authc.realms.native
namespace. It is recommended that you explicitly set theorder
attribute for the realm.You can configure only one native realm on Elasticsearch nodes.
See Native realm settings for all of the options you can set for the
native
realm. For example, the following snippet shows anative
realm configuration that sets theorder
to zero so the realm is checked first:xpack.security.authc.realms.native.native1: order: 0
To limit exposure to credential theft and mitigate credential compromise, the native realm stores passwords and caches user credentials according to security best practices. By default, a hashed version of user credentials is stored in memory, using a salted
sha-256
hash algorithm and a hashed version of passwords is stored on disk salted and hashed with thebcrypt
hash algorithm. To use different hash algorithms, see User cache and password hash algorithms. - Restart Elasticsearch.